Reputation: 6008
How to safely run arbitrary code on a remote machine?
I would like to receive a shell command from a user, and run it as a Linux user with no real privileges.
Today I'm doing this: sudo -u {username} 'sh' '-c' $'{user_command}'
Is this safe?
Upvotes: 1
Views: 298
Answers (1)
Reputation: 158020
Manually escaping the ' sounds fragile. I would put the command into a file and execute that file as a script. This avoids command injection by design.
Further note that even an unprivileged account will have read access to many files on the host system, like /etc/passwd or information from /proc. If they would run ps for example, they could see commands from other users.
Therefore I would recommend to run the command in a container. Install docker and run:
# let's say you stored the command in "user.sh" ...
docker run -v "${PWD}:/scripts" -it image_name bash /scripts/user.sh
Another thing which is relevant for security is that people could try to (a) DOS the host machine or (b) DOS other machines or attack them in a different way. For (a), make sure you put pretty strict resource constraints on the docker machine (mem, cpu, number of procs, etc...). For (b), disallow network access for the container.
Upvotes: 1
Related Questions
- Run bash script on remote machine php
- Dry-run a potentially dangerous script?
- Running a local script remotely
- Ensure successful execution of script on remote server
- bash - running remote script from local machine
- Bash: how to run a script remotely
- How to execute a script on a remote machine?
- Running local script remotely with shell script here documents
- How do you execute a command on a remote system insde a BASH script?
- Secure method to execute a script remotely with ssh